Fortinet has released an emergency weekend security update for a new critical FortiClient Enterprise Management Server (EMS) vulnerability that is actively exploited in attacks.
Tracked as CVE-2026-35616, the flaw is an improper access control vulnerability that allows unauthenticated attackers to execute code or commands via specially crafted requests.
The issue was patched Saturday, with Fortinet confirming it has been exploited in the wild.
“Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” warns Fortinet.
Fortinet says the vulnerability impacts FortiClient EMS versions 7.4.5 and 7.4.6 and can be mitigated by installing one of the following hotfixes:
- https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 – for FortiClientEMS 7.4.5
- https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 – for FortiClientEMS 7.4.6
The vulnerability will also be fixed in the upcoming FortiClientEMS 7.4.7. FortiClient EMS 7.2 is not affected.
The flaw was discovered by cybersecurity firm Defused, which described it as a pre-authentication API access bypass that allows attackers to bypass authentication and authorization controls entirely.
Defused shared on X that they observed the flaw being exploited as a zero-day earlier this week before reporting it to Fortinet under responsible disclosure.
Internet security watchdog Shadowserver has found over 2,000 exposed FortiClient EMS instances online, with the majority located in the USA and Germany.
The vulnerability follows a separate critical FortiClient EMS flaw, CVE-2026-21643, reported last week and also actively exploited in attacks.
Both vulnerabilities were discovered by Defused, with Fortinet also crediting Nguyen Duc Anh for the latest flaw.
Fortinet is urging customers to apply the hotfixes immediately or upgrade to version 7.4.7 when it becomes available to mitigate the risk of compromise.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Related Articles:
Critical Fortinet Forticlient EMS flaw now exploited in attacks
Critical Citrix NetScaler memory flaw actively exploited in attacks
CISA: New Langflow flaw actively exploited to hijack AI workflows
CISA orders feds to patch max-severity Cisco flaw by Sunday
WordPress membership plugin bug exploited to create admin accounts